Static Scan Results
scanned 4h ago · by rust-scannerStatic analysis flagged 13 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Static reason
One or more suspicious static signals were detected.
Decision evidence
public snapshotBehavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
5 flagged · loading sourcedist/index.jsView file
49// src/utils/compat.ts
L50: import { spawn as nodeSpawn } from "node:child_process";
L51: import { writeFile as fsWriteFile } from "node:fs/promises";
High
124}
L125: function escapePowerShellPath(path4) {
L126: return path4.replace(/'/g, "''");
High
49// src/utils/compat.ts
L50: import { spawn as nodeSpawn } from "node:child_process";
L51: import { writeFile as fsWriteFile } from "node:fs/promises";
...
L9124: _resolve: { value: function(href) {
L9125: return new URL4(this._documentBaseURL).resolve(href);
L9126: } },
...
L18822: try {
L18823: const content = fs.readFileSync(configPath, "utf-8");
L18824: let rawConfig;
High
Remote Agent Bridge
Source exposes local file and command tools to a remote model endpoint.
dist/index.jsView on unpkg · L4949// src/utils/compat.ts
L50: import { spawn as nodeSpawn } from "node:child_process";
L51: import { writeFile as fsWriteFile } from "node:fs/promises";
...
L58: if (!stream.readable) {
L59: resolve(Buffer.concat(chunks).toString("utf-8"));
L60: return;
...
L70: options?.stdin ?? "ignore",
L71: options?.stdout ?? "pipe",
L72: options?.stderr ?? "pipe"
...
L106: function getWindowsBuildNumber() {
L107: if (process.platform !== "win32")
L108: return null;
Low
dist/cli/index.jsView file
21// src/utils/compat.ts
L22: import { spawn as nodeSpawn } from "node:child_process";
L23: function collectStream(stream) {
...
L29: if (!stream.readable) {
L30: resolve(Buffer.concat(chunks).toString("utf-8"));
L31: return;
...
L41: options?.stdin ?? "ignore",
L42: options?.stdout ?? "pipe",
L43: options?.stderr ?? "pipe"
...
L74: function getWindowsBuildNumber() {
L75: if (process.platform !== "win32")
L76: return null;
Medium
Install Persistence
Source writes installer persistence such as shell profile or service configuration.
dist/cli/index.jsView on unpkg · L21Findings
3 High4 Medium6 Low
HighChild Processdist/index.js
HighShelldist/index.js
HighRemote Agent Bridgedist/index.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/cli/index.js
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/index.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings